-
-
Notifications
You must be signed in to change notification settings - Fork 14.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
python3Packages.requests: patch in CA bundles
The requests library defaults to using the certificates from the certifi library when not otherwise specified. If I understand the discussion at #8247 correctly, we should instead patch it so that it follows the following priority order: 1. the path pointed to by the environment variable $NIX_SSL_CERT_FILE 2. /etc/ssl/certs/ca-certificates.crt 3. whatever it was doing before (in this case, using certifi) This commit implements that.
- Loading branch information
Showing
2 changed files
with
62 additions
and
0 deletions.
There are no files selected for viewing
60 changes: 60 additions & 0 deletions
60
...pment/python-modules/requests/0001-Prefer-NixOS-Nix-default-CA-bundles-over-certifi.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| From b36083efafec5a3c1c5864cd0b62367ddf3856ae Mon Sep 17 00:00:00 2001 | ||
| From: Keshav Kini <[email protected]> | ||
| Date: Sun, 16 May 2021 20:35:24 -0700 | ||
| Subject: [PATCH] Prefer NixOS/Nix default CA bundles over certifi | ||
|
|
||
| Normally, requests gets its default CA bundle from the certifi | ||
| package. On NixOS and when using Nix on non-NixOS platforms, we would | ||
| rather default to using our own certificate bundles controlled by the | ||
| Nix/NixOS user. | ||
|
|
||
| This commit overrides requests.certs.where(), which previously was | ||
| just aliased to certifi.where(), so that now it does the following: | ||
|
|
||
| - When run by Nix on non-NixOS, the environment variable | ||
| $NIX_SSL_CERT_FILE will point to the CA bundle we're using, so we | ||
| use that. | ||
|
|
||
| - When running on NixOS, the CA bundle we're using has the static path | ||
| /etc/ssl/certs/ca-certificates.crt , so we use that. | ||
|
|
||
| - Otherwise, we fall back to the original behavior of using certifi's | ||
| CA bundle. Higher in the call stack, users of requests can also | ||
| explicitly specify a CA bundle to use, which overrides all this | ||
| logic. | ||
| --- | ||
| requests/certs.py | 18 +++++++++++++++++- | ||
| 1 file changed, 17 insertions(+), 1 deletion(-) | ||
|
|
||
| diff --git a/requests/certs.py b/requests/certs.py | ||
| index d1a378d7..faf462b7 100644 | ||
| --- a/requests/certs.py | ||
| +++ b/requests/certs.py | ||
| @@ -12,7 +12,23 @@ If you are packaging Requests, e.g., for a Linux distribution or a managed | ||
| environment, you can change the definition of where() to return a separately | ||
| packaged CA bundle. | ||
| """ | ||
| -from certifi import where | ||
| + | ||
| +import os | ||
| + | ||
| +import certifi | ||
| + | ||
| + | ||
| +def where(): | ||
| + nix_ssl_cert_file = os.getenv("NIX_SSL_CERT_FILE") | ||
| + if nix_ssl_cert_file and os.path.exists(nix_ssl_cert_file): | ||
| + return nix_ssl_cert_file | ||
| + | ||
| + nixos_ca_bundle = "/etc/ssl/certs/ca-certificates.crt" | ||
| + if os.path.exists(nixos_ca_bundle): | ||
| + return nixos_ca_bundle | ||
| + | ||
| + return certifi.where() | ||
| + | ||
|
|
||
| if __name__ == '__main__': | ||
| print(where()) | ||
| -- | ||
| 2.31.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters